Upon first request to an proxy that requires authentication the proxy answers with an HTTP 407 that contains Proxy-Authenticate header. The client now knows that the proxy requires authentication and adds the Proxy-Authorization header containing the credentials. The proxy checks the request and removed this header before forwarding the request to the target server (if the authentication was successful).